PDA

View Full Version : Track administrators' login and logout



mvisconti
24-Oct-2011, 13:36
Hi

I need to register the administrators' login and logout from my SLES 11
SP1 server. In /var/log/messages I see the login from ssh, but the
logout is missing. Moreover the login-logout with VNC is not logged.

It is possible to activate the login-logout registration with ssh and
VNC?

Thank you

Marco


--
mvisconti
------------------------------------------------------------------------
mvisconti's Profile: http://forums.novell.com/member.php?userid=97561
View this thread: http://forums.novell.com/showthread.php?t=447223

amo vzug
26-Oct-2011, 08:56
Hi

The output from the "last" command shows you the login and the logout
time. Is this what you're searching?
Kind regards,
Tom


--
amo_vzug
------------------------------------------------------------------------
amo_vzug's Profile: http://forums.novell.com/member.php?userid=25342
View this thread: http://forums.novell.com/showthread.php?t=447223

mvisconti
26-Oct-2011, 11:26
amo_vzug;2148896 Wrote:
> Hi
>
> The output from the "last" command shows you the login and the logout
> time. Is this what you're searching?
> Kind regards,
> Tom

Thanks for the answer.
I need a way to register the login and logout in a log file using the
syslog-ng. With the default configuration, only the login with ssh is
logged.

Regards
Marco


--
mvisconti
------------------------------------------------------------------------
mvisconti's Profile: http://forums.novell.com/member.php?userid=97561
View this thread: http://forums.novell.com/showthread.php?t=447223

thsundel
26-Oct-2011, 11:56
mvisconti;2148950 Wrote:
> Thanks for the answer.
> I need a way to register the login and logout in a log file using the
> syslog-ng. With the default configuration, only the login with ssh is
> logged.
>
> Regards
> Marco

This might help but not sure since I have not tried it:
http://www.suse.com/documentation/sled10/pdfdoc/auditqs_sp2/auditqs_sp2.pdf

Thomas


--
http://thsundel.blogspot.com/
------------------------------------------------------------------------
thsundel's Profile: http://forums.novell.com/member.php?userid=128
View this thread: http://forums.novell.com/showthread.php?t=447223

thsundel
26-Oct-2011, 12:06
thsundel;2148967 Wrote:
> This might help but not sure since I have not tried it:
> http://www.suse.com/documentation/sled10/pdfdoc/auditqs_sp2/auditqs_sp2.pdf
>
> Thomas

And here is for SLES11:
http://www.suse.com/documentation/sles11/pdfdoc/art_auditquick/art_auditquick.pdf

Thomas


--
http://thsundel.blogspot.com/
------------------------------------------------------------------------
thsundel's Profile: http://forums.novell.com/member.php?userid=128
View this thread: http://forums.novell.com/showthread.php?t=447223

amo vzug
26-Oct-2011, 12:36
You can increase the logging-information in the file
/etc/ssh/sshd_config from
"LogLevel INFO" (Default) to "LogLevel VERBOSE". This gives you the
following entries in /var/log/messages:


Code:
--------------------

Oct 26 13:23:29 server1 sshd[19058]: Connection from 99.99.99.99 port 50536
Oct 26 13:23:30 server1 sshd[19058]: Accepted keyboard-interactive/pam for user123 from 99.99.99.99 port 50536 ssh2
Oct 26 13:23:32 server1 sshd[19058]: Received disconnect from 99.99.99.99: 11: disconnected by user

--------------------


With this information, you can create your own syslog-ng-filter
(match-tag) to redirect login-/disconnect-messages to a certain file.
Regards,
Tom


--
amo_vzug
------------------------------------------------------------------------
amo_vzug's Profile: http://forums.novell.com/member.php?userid=25342
View this thread: http://forums.novell.com/showthread.php?t=447223

mvisconti
26-Oct-2011, 14:36
amo_vzug;2148974 Wrote:
> You can increase the logging-information in the file
> /etc/ssh/sshd_config from
> "LogLevel INFO" (Default) to "LogLevel VERBOSE". This gives you the
> following entries in /var/log/messages:
>
> >
Code:
--------------------
> >
> Oct 26 13:23:29 server1 sshd[19058]: Connection from 99.99.99.99 port 50536
> Oct 26 13:23:30 server1 sshd[19058]: Accepted keyboard-interactive/pam for user123 from 99.99.99.99 port 50536 ssh2
> Oct 26 13:23:32 server1 sshd[19058]: Received disconnect from 99.99.99.99: 11: disconnected by user
>
--------------------
> >
>
> With this information, you can create your own syslog-ng-filter
> (match-tag) to redirect login-/disconnect-messages to a certain file.
> Regards,
> Tom

Many thanks!
Last question. It is possible to log the login and logout with VNC in
the same way? When I connect with vncviewer, I don't see any message in
the log file (except error messages).

Regards
Marco


--
mvisconti
------------------------------------------------------------------------
mvisconti's Profile: http://forums.novell.com/member.php?userid=97561
View this thread: http://forums.novell.com/showthread.php?t=447223

mvisconti
28-Oct-2011, 10:46
mvisconti;2149023 Wrote:
> Many thanks!
> Last question. It is possible to log the login and logout with VNC in
> the same way? When I connect with vncviewer, I don't see any message in
> the log file (except error messages).
>
> Regards
> Marco

Maybe I found a solution. The VNC connection is logged by xinetd, thus
I must modify /etc/xinetd.conf

Thanks to all for the support.

Marco


--
mvisconti
------------------------------------------------------------------------
mvisconti's Profile: http://forums.novell.com/member.php?userid=97561
View this thread: http://forums.novell.com/showthread.php?t=447223

rosario_mattera
04-Oct-2017, 14:09
Hi,
I know this is a very old thread but I'm experiencing the same issue described here, I mean that the /var/log/messages file doesn't contain any information about the logoff of the user but just only the login actitivity. Changing the log level to VERBOSE doesn't resolve the problem. Could you suggest something else to try?

Regards,
Ros

malcolmlewis
04-Oct-2017, 14:19
Hi,
I know this is a very old thread but I'm experiencing the same issue described here, I mean that the /var/log/messages file doesn't contain any information about the logoff of the user but just only the login actitivity. Changing the log level to VERBOSE doesn't resolve the problem. Could you suggest something else to try?

Regards,
Ros
Hi
A very old thread ;) Please start a new thread (add a prefix of the OS in use, potential newer tools etc) and the specific things you want to log.